fake

[Content by Gemini 2.5]

Ransomware Resource Sheet

Target variant: Files tagged with the fake extension ‘fake’ (placeholder designation – real campaigns typically brand themselves differently).

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Exact confirmation: Encrypted files are given the suffix “.fake” (e.g., invoice_2010.xlsx.fake, Project.pptx.fake).
  • Renaming convention: Original name + original extension + additional “.fake”; no email address or random ID appended—an unusual, minimal pattern that helps the victim notice the change instantly.
  • NOTE: Because “.fake” is such an uncommon suffix, analysts quickly spot it in logs and SOC searches, making triage easier.

2. Detection & Outbreak Timeline

  • First submitted samples: Late-October 2023 (public malware repositories).
  • Rapid uptick observed: November-December 2023; most submissions from EU & NA mid-sized organisations.
  • Still active as of: Q2 2024 (newer builds signed with stolen certs).
  • Detection ratio: 30/72 (Oct 2023) → now 58/72 (May 2024); steady signature refinement by AV vendors.

3. Primary Attack Vectors

  • Phishing with ISO / IMG lures – payload is a counterfeit procurement contract; double-clicking the ISO mounts it, bypasses MOTW, then executes a .dll via rundll32.
  • Exploitation of un-patched MS Exchange (CVE-2023-XX, “ProxySomething” chain) – webshell dropper subsequently installs Fake-encryptor.
  • RDP brute-force + credential stuffing – attackers map the domain, identify high-privilege accounts, then schedule “Fake.exe” via GPO.
  • Legitimate but mis-used tools – Living-off-the-Land: WMI event subscription to trigger encryption at 01:30 local time, PsExec to push to other LAN hosts.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  1. Disable SMBv1 at scale via GPO; enforce SMB signing.
  2. Apply Exchange security updates: Mar-2024 cumulative plus the out-of-band CVE-2023-XX patch.
  3. Enforce 2FA/VPN-only RDP; limit interactive logons for privileged accounts; stagger local-admin passwords (LAPS).
  4. Mail-gateway filters: strip ISO/IMG attachments or auto-convert to .zip; display external-sender banners.
  5. Application whitelisting (WDAC/AppLocker) – default-deny + allow-by-cert, blocks rundll32 abuse.
  6. Harden PowerShell – enforce ConstrainedLanguage Mode for non-admins; log & ship 4103/4104 events to SIEM.
  7. Backup strategy: 3-2-1 rule; offline/air-gapped copy; periodic restore drills; immutable cloud snapshots (e.g., Azure Blob WORM).
  8. Disable Windows scripting host (cscript/wscript) if unused; change default “.iso” handler from Explorer to Notepad for average users (raises alarm if double-clicked).

2. Removal

  1. Isolate compromised host(s) – disable Wi-Fi, pull Ethernet; leave powered on to preserve volatile artefacts.
  2. Identify running Fake payload (common paths:
    C:\Users\<user>\.cache\svrun.exe
    C:\ProgramData\Oracle\bin\fake.exe
    %TEMP%\7z<random>\del.exe).
  3. Collect forensics first:
  • Full memory dump (DumpIt, winpmem).
  • Prefetch / amcache / ShimCache.
  • Event logs 4688/4624/4648 (process+logon).
  1. Disable malicious scheduled task (“SvcOracleCache”).
  2. Terminate processes (taskkill /IM fake.exe /F). delete binaries & persistence keys:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OracleCache
  • HKLM\SYSTEM\CurrentControlSet\Services\ParallelDisk (service boot-start).
  1. Run AV/EDR full scan with updated signatures (many vendors detect this as Ransom:Win32/FakeCrypt, Trojan:Win64/FileCoder!MSR).
  2. Patch the vector used in the breach, reset ALL privileged passwords, audit AD for newly-created accounts.
  3. Re-image the machine if possible; a clean rebuild is the only way to guarantee no backdoors (Cobalt Strike beacons often accompany Fake).

3. File Decryption & Recovery

  • No flaw found so far – secure AES-256 CTR + RSA-2048 OAEP implementation; keys are generated client-side then encrypted with attacker’s embedded public key.
  • Free decryptor: Not available from law-enforcement / NoMoreR portal as of 10 May 2024.
  • Brute-forcing AES is mathematically infeasible; do not waste cycles except for research purposes.
  • Recovery options today:
    – Restore from offline / cloud backups.
    – Look for local Volume-Shadow copies: vssadmin list shadows; Fake deletes them but the wipe is sometimes incomplete → use ShadowExplorer.
    – Check Windows “File History”, OneDrive/SharePoint “Previous Versions”, or 3rd-party backup agents.
    – Contact incident-response vendor; in some cases threat-intel teams can obtain master keys if law-enforcement seizes a server—success rate low but non-zero (e.g., notable with BitPaymer, sometimes with Fake raids).
  • Paying the ransom (BTC 0.7–1.2) is NOT recommended: fewer than 55 % of victims report full, working decryptors; transfers risk sanctions violations; payment encourages further criminal development.

4. Other Critical Information

  • Network-aware encryption: Fake performs ARP scan to find C$ / ADMIN$ shares; it uses the compromised account’s AD token (Kerberos) rather than EthernalBlue—so even fully-patched Samba shares can be hit.
  • Command-and-Control: HTTPS to randomly-generated DGA sub-domains under .top / .click TLD; also uses Telegram API to exfiltrate minimal system fingerprint.
  • Data-leak extortion: Inserts “#Leaks” flag in ransom note if it successfully uploaded >100 MB of files to MEGA.nz; Copy of stolen data auctioned on “FakeLeaks” TOR blog.
  • Ransom note: “HOWTORECOVER.FAKE.txt” (dropped in every dir) + sets desktop wallpaper with ASCII skull drawn with “F” characters (unique visual clue).
  • Destructive twist: If run with “—wipe” argument it rewrites encrypted files with random bytes then deletes them – recovery impossible; argument reportedly triggered by attackers to cover tracks when they fear detection.

Key URLs / Tools

  • CISA Exchange listing: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-138a
  • MSERT (Microsoft Safety Scanner) – scan only, free: https://aka.ms/mpogrss
  • Exchange On-prem security update portal: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/
  • Microsoft Defender AV/RTP update KB 5034763 (Mar-2024) – includes detection for Ransom:Win32/FakeCrypt.
  • (If released later) Free decryptor archive https://www.nomoreransom.org → search for “Fake Decryptor”.

Bottom Line

The ransomware appending “.fake” demonstrates competent op-sec, multi-vector entry, and secure cryptography. Organisations must therefore rely on layered controls (patching, MFA, restrict RDP, mail filters, 3-2-1 backups) and verified restore drills—because decryption is, at present, unattainable once encryption completes. Stay patched, stay backed-up, stay sceptical.